From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 10 Aug 2010 22:49:06 +0000 (-0700)
Subject: .27 patches
X-Git-Tag: v2.6.32.19~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7d0412429d8550109760c9d4718c84b5a317f903;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/nvram-fix-write-beyond-end-condition-prove-to-gcc-copy-is-safe.patch b/queue-2.6.27/nvram-fix-write-beyond-end-condition-prove-to-gcc-copy-is-safe.patch
new file mode 100644
index 00000000000..1e069a65c03
--- /dev/null
+++ b/queue-2.6.27/nvram-fix-write-beyond-end-condition-prove-to-gcc-copy-is-safe.patch
@@ -0,0 +1,64 @@
+From a01c7800420d2c294ca403988488a635d4087a6d Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa@zytor.com>
+Date: Fri, 11 Dec 2009 15:48:23 -0800
+Subject: nvram: Fix write beyond end condition; prove to gcc copy is safe
+
+From: H. Peter Anvin <hpa@zytor.com>
+
+commit a01c7800420d2c294ca403988488a635d4087a6d upstream.
+
+In nvram_write, first of all, correctly handle the case where the file
+pointer is already beyond the end; we should return EOF in that case.
+
+Second, make the logic a bit more explicit so that gcc can statically
+prove that the copy_from_user() is safe.  Once the condition of the
+beyond-end filepointer is eliminated, the copy is safe but gcc can't
+prove it, causing build failures for i386 allyesconfig.
+
+Third, eliminate the entirely superfluous variable "len", and just use
+the passed-in variable "count" instead.
+
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: Arjan van de Ven <arjan@infradead.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Wim Van Sebroeck <wim@iguana.be>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+LKML-Reference: <tip-*@git.kernel.org>
+Cc: Stephen Hemminger <shemminger@vyatta.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/nvram.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/nvram.c
++++ b/drivers/char/nvram.c
+@@ -265,10 +265,16 @@ nvram_write(struct file *file, const cha
+ 	unsigned char contents[NVRAM_BYTES];
+ 	unsigned i = *ppos;
+ 	unsigned char *tmp;
+-	int len;
+ 
+-	len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
+-	if (copy_from_user(contents, buf, len))
++	if (i >= NVRAM_BYTES)
++		return 0;	/* Past EOF */
++
++	if (count > NVRAM_BYTES - i)
++		count = NVRAM_BYTES - i;
++	if (count > NVRAM_BYTES)
++		return -EFAULT;	/* Can't happen, but prove it to gcc */
++
++	if (copy_from_user(contents, buf, count))
+ 		return -EFAULT;
+ 
+ 	spin_lock_irq(&rtc_lock);
+@@ -276,7 +282,7 @@ nvram_write(struct file *file, const cha
+ 	if (!__nvram_check_checksum())
+ 		goto checksum_err;
+ 
+-	for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp)
++	for (tmp = contents; count--; ++i, ++tmp)
+ 		__nvram_write_byte(*tmp, i);
+ 
+ 	__nvram_set_checksum();